Please Note: This article is cross-posted from fudsec.com.
I've been reading Richard Clarke's latest book, Cyber War, in an effort to delve deeper into the topic. Maybe it's been all the recent inflammatory rhetoric, or maybe it's an earnest interest, or maybe - just maybe - it comes from an innate interest in fighting obtuse uses and abuses of FUD.
The tone of the book initially is far less FUD-y than one might expect. Some of the tech details are clearly off a bit, but overall it's been surprisingly level-headed. Except for the scenarios. These are some of the most over-the-top scenarios I've seen since "digital Pearl Harbor" in 2000. However, in this case it gives me pause, and not just because of the glaring FUD factor.
What I wonder is this: just how much data and control must we lose before we stand up and start taking action? How much proprietary designs, plans, formulas, etc., must be compromised? How many SCADA systems have to be pwnd? Is it really going to take a massive blackout before energy company execs wake up and smell the ozone?
Clarke asserts that foreign assets already have embedded attack tools ("logic bombs") into many, if not all, critical infrastructures. We've not done an adequate job of supply chain management, so consider that his assertion may, in fact, be fact-based and plausible. Now add factual assertions that massive research databases (academic, government, and corporate) have been copied wholesale by these same foreign assets. Accept this as fact, if you will, and not as FUD. How does this change your perspective on the topic?
The Case For FUD
Taking the previous examples as fact (as an example here - we can debate the depth of pwnage, but I think we can all agree that there are serious concerns here), there may be a valid case for FUDtastic scenarios like the ones Clarke uses in his book. The "digital Pearl Harbor" example of yore is nothing. He puts an interesting spin on it: what if there is reasonable upside to a foreign power to take down our critical infrastructure in a single, well-coordinated attack? What if our assumption of a "cold war" styled standoff (based largely on a belief in economic interdependency) isn't actually valid?
If anybody has attended Black Hat and DEFCON, then they should know definitively just how good the breakers are these days, and just how behind the curve most organizations really are. Pulling out a book like Clarke's can help drive home this point in a wonderfully FUDerific manner. "If you don't fix things NOW, then you will lose everything!!!" Or so it might go in your head. After all, there's nothing like a healthy dose of fear to motivate people. Or does it really work that way?
The Case Against FUD
There are a couple deficiencies with using FUD to make an argument. Excessive and continuous use of FUD can elevate the message to a state of background noise. It can also hurt your credibility. If every time you open your mouth FUD spews forth, then people will tune you out or avoid you. We in infosec - especially vendors - seem to be guilty of this historically, as evidenced by how hard it is to get the attention of execs.
Another problem is context. If everything is expressed as the highest of high risks, then how do you decide how to respond? If everything rates a 10 (on a 10-pt scale), then does that mean everything must be addressed immediately? How do you justify that?
Along these same lines, there's also typically a lack of adequate supporting data to justify the consistently hyped state. Where are the metrics and measurements? Have the risk factors been measured and ranked using a reliable method? FUD tends to not have these supporting structures, which further damages credibility.
"We're So Screwed"
This statement probable summarizes our situation today, at least from the U.S. perspective. How do we get this message across? If we have a high degree of credibility, and if we haven't abused the use of escalated rhetoric, and if we have some facts to back us up, then and only then can we whip out some FUD to make our point (of course, we could debate if this is really FUD, but I digress...). You have all that today, right? No? Uh oh. Now what?
This, I think, reflects our current situation. We are sorely in need of a breakthrough, too (SCADA owners - I'm looking at you!). One such step being taken is that DHS is now sending teams off to energy companies to help with security, but this seems unlikely to be sufficient. We have decent methods for modeling risk (e.g. FAIR). How do we take the next step? How do we get the message across in a meaningful way that spurs meaningful action? What do you think?